How to set access log output for access log output bucket


We are considering support for Security Hub. In order to clear the check of S3.9, I prepared a bucket for access log output and set it to output access log there. However, the check cannot be cleared because the access log output setting of the access log output bucket has not been set. How can I clear this check? If possible, I would like to solve it in a way that does not ignore it.

[S3.9] This control checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket.

4 Answers
  • thank you for your answer. I checked the documentation but didn't find the answer I expected.

Accepted Answer

Ultimately, at some point, you'll have a bucket that does not have access logging enabled because you'll always have a circular reference and then a runaway increase in logging.

Best practice is to lock down the bucket to which those access logs are being written by using version history, MFA on Delete, restricting access to service roles (which does not include delete actions) from systems where the logs can be accessed (e.g. SIEM, Amazon Redshift, Amazon OpenSearch, or other data warehouse/visualization solution).

You will still have AWS Cloudtrail logs which can also help identify access requests to the bucket to provide some level of access monitoring. Finally, the AWS Documentation on [S3.9] S3 bucket server access logging should be enabled explicitly states:

"The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket."

answered 2 years ago
  • Thank you for your answer. I see that I can suppress the log bucket. (Select the bucket and click on the Workflow status button, then Suppressed)


Check this blog and also make sure that the permissions through bucket policies and/or ACL is not blocking.

answered 2 years ago
  • Sorry I didn't ask the question well. I am not having trouble with how to output the access log, but rather where to output the access log for the bucket that collects the access log.

    source buckettarget bucket for access log

You could set it up to any bucket of your choice, is there any trouble with that?

answered 2 years ago
  • I am concerned about the following cases.

    1. Access Bucket-A (access to Bucket-A occurs)
    2. Access log to Bucket-A is output to Log-Bucket (access to Log-Bucket occurs)
    3. Access log to Log-Bucket is output to Log-Bucket2 (access to Log-Bucket2 occurs)
    4. Access log to Log-Bucket2 is output to Log-Bucket3 (access to Log-Bucket3 occurs)

    Wouldn't it be an infinite loop like this?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions